Hi Rebecaa, Nice catch! This is the root cause of a bug I was recently trying to fix, it will cause printf randomly fail if *(p+1) is accidently is '%'. So could you resend a patch with a start "GBE:....." and some more description about the bug fix.
Thanks Xiuli Pan -----Original Message----- From: Beignet [mailto:beignet-boun...@lists.freedesktop.org] On Behalf Of Rebecca N. Palmer Sent: Monday, November 2, 2015 7:09 AM To: beignet@lists.freedesktop.org Subject: [Beignet] [PATCH] Don't read past end of printf format string Reading p+1 when p==end is an out of bounds read. Signed-off-by: Rebecca Palmer <rebecca_pal...@zoho.com> --- (Found by valgrind while investigating #90472; probably not the actual cause of that crash, but still a bug.) diff --git a/backend/src/llvm/llvm_printf_parser.cpp b/backend/src/llvm/llvm_printf_parser.cpp index bdaed8a..f427107 100644 --- a/backend/src/llvm/llvm_printf_parser.cpp +++ b/backend/src/llvm/llvm_printf_parser.cpp @@ -229,7 +229,7 @@ again: printf("string end with %%\n"); goto error; } - if (*(p + 1) == '%') { // %% + if (p + 1 < end && *(p + 1) == '%') { // %% p += 2; goto again; } _______________________________________________ Beignet mailing list Beignet@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/beignet _______________________________________________ Beignet mailing list Beignet@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/beignet
